Securonix SNYPR

snypr is a big data security analytics platform built on hadoop that utilizes securonix machine learning based anomaly detection techniques and threat models to detect sophisticated cyber and insider attacks capabilities this connector provides the following capabilities run activity query get top threats get top violations get top violators list all policies list all users retrieve list of incidents note to get "all violations by policy name", use "run activity query" action with the query index=violation and policyname = \<policyname> and \<additional conditions> asset setup this connector asset requires an url, username and a password to authenticate additional notes base url or host url must be in the format hostname or ipaddress/snypr while using the retrieve list of incidents action, please note that the parameter tenantname is optional for non mssp and is required to pass for mssp and if needed, check here for documentation retrieve list of incidents api documentation https //documentation securonix com/bundle/securonix cloud user guide/page/content/rest api categories htm#retrieve list of incidents configurations securonix snypr authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions run activity query run simple searches from the unified defense siem interface on the activity collection "|" pipe or operator searches are not currently supported endpoint url snypr/ws/spotter/index/search method get input argument name type required description query string required parameter for run activity query eventtime from string required parameter for run activity query eventtime to string required parameter for run activity query tz string optional parameter for run activity query prettyjson boolean optional parameter for run activity query max number optional this parameter is only available for version 6 2 cu4 sp4 and above queryid string optional this parameter is only available for version 6 2 cu4 sp4 and above output parameter type description status code number http status code of the response reason string response reason phrase totaldocuments number output field totaldocuments events array output field events timeline by month string output field timeline by month rg timezoneoffset string output field rg timezoneoffset resourcegroupname string name of the resource eventid string unique identifier ipaddress string output field ipaddress week string output field week year string output field year accountresourcekey string output field accountresourcekey resourcehostname string name of the resource sourceprocessname string name of the resource rg functionality string output field rg functionality userid string unique identifier customfield2 string output field customfield2 dayofmonth string output field dayofmonth jobid string unique identifier resourcegroupid string unique identifier datetime string time value timeline by hour string output field timeline by hour collectiontimestamp string output field collectiontimestamp hour string output field hour accountname string name of the resource example \[ { "status code" 200, "response headers" { "date" "thu, 25 jan 2024 00 34 27 gmt", "content type" "text/plain", "transfer encoding" "chunked", "connection" "keep alive", "strict transport security" "max age=31536000 ; includesubdomains", "cache control" "private, no store, no cache, must revalidate", "x frame options" "deny", "pragma" "no cache", "x xss protection" "1 ;mode=block", "x content type options" "nosniff", "content security policy" "frame ancestors 'self' securonix net; default src 'self' securonix net; obje " }, "reason" "", "json body" { "totaldocuments" 69490, "events" \[], "error" false, "available" false, "queryid" "spotterwebservicee8904c76 b230 4ad7 990f eefd220a22b8", "applicationtz" "cst6cdt", "inputparams" {}, "index" "activity" } } ] get top threats get top threats in the specified time period and count of violators for each threat endpoint url snypr/ws/sccwidget/gettopthreats method get input argument name type required description dateunit string required parameter for get top threats dateunitvalue number required value for the parameter offset number required parameter for get top threats max number required parameter for get top threats output parameter type description status code number http status code of the response reason string response reason phrase response object output field response date range array output field date range total records number output field total records docs array output field docs threat model id number unique identifier threat nodel name string name of the resource description string output field description criticality string output field criticality no of violator number output field no of violator generation time number time value example \[ { "status code" 200, "response headers" { "date" "thu, 25 jan 2024 00 34 04 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "strict transport security" "max age=31536000 ; includesubdomains", "cache control" "private, no store, no cache, must revalidate", "x frame options" "deny", "pragma" "no cache", "x xss protection" "1 ;mode=block", "x content type options" "nosniff", "content security policy" "frame ancestors 'self' securonix net; default src 'self' securonix net; obje " }, "reason" "", "json body" { "response" {} } } ] get top violations get top violations in the specified time period and count of violators for each violation endpoint url snypr/ws/sccwidget/gettopviolations method get input argument name type required description dateunit string required parameter for get top violations dateunitvalue number required value for the parameter offset number required parameter for get top violations max number required parameter for get top violations output parameter type description status code number http status code of the response reason string response reason phrase response object output field response date range array output field date range total records number output field total records docs array output field docs policy id number unique identifier policy name string name of the resource criticality string output field criticality violation entity string output field violation entity policy category string output field policy category threat indicator string output field threat indicator generation time number time value no of violator number output field no of violator description string output field description example \[ { "status code" 200, "response headers" { "date" "thu, 25 jan 2024 00 33 45 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "strict transport security" "max age=31536000 ; includesubdomains", "cache control" "private, no store, no cache, must revalidate", "x frame options" "deny", "pragma" "no cache", "x xss protection" "1 ;mode=block", "x content type options" "nosniff", "content security policy" "frame ancestors 'self' securonix net; default src 'self' securonix net; obje " }, "reason" "", "json body" { "response" {} } } ] get top violators get top violators in the specified time period and risk score of each violator endpoint url snypr/ws/sccwidget/gettopviolators method get input argument name type required description dateunit string required parameter for get top violators dateunitvalue number required value for the parameter offset number required parameter for get top violators max number required parameter for get top violators output parameter type description status code number http status code of the response reason string response reason phrase response object output field response date range array output field date range total records number output field total records docs array output field docs name string name of the resource violator entity string output field violator entity risk score number score value generation time number time value department string output field department example \[ { "status code" 200, "response headers" { "date" "thu, 25 jan 2024 00 33 27 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "strict transport security" "max age=31536000 ; includesubdomains", "cache control" "private, no store, no cache, must revalidate", "x frame options" "deny", "pragma" "no cache", "x xss protection" "1 ;mode=block", "x content type options" "nosniff", "content security policy" "frame ancestors 'self' securonix net; default src 'self' securonix net; obje " }, "reason" "", "json body" { "response" {} } } ] list all policies list of policies (aka rules) configured in snypr to detect violators, violations and threats response includes all policies available in the system endpoint url snypr/ws/policy/getallpolicies method get output parameter type description status code number http status code of the response reason string response reason phrase policies object output field policies policy array output field policy createdby string output field createdby createdon string output field createdon criticality string output field criticality description string output field description hql object output field hql id string unique identifier name string name of the resource example \[ { "status code" 200, "response headers" { "date" "thu, 25 jan 2024 00 32 56 gmt", "content type" "application/xml", "transfer encoding" "chunked", "connection" "keep alive", "strict transport security" "max age=31536000 ; includesubdomains", "cache control" "private, no store, no cache, must revalidate", "x frame options" "deny", "pragma" "no cache", "x xss protection" "1 ;mode=block", "x content type options" "nosniff", "content security policy" "frame ancestors 'self' securonix net; default src 'self' securonix net; obje ", "set cookie" "jsessionid=610ace2e3babf8b2a161b50770a84799; path=/snypr; secure; httponly" }, "reason" "", "json body" { "policies" {} } } ] list all users list all users in the user collection endpoint url snypr/ws/spotter/index/search?query=index=users method get output parameter type description status code number http status code of the response reason string response reason phrase totaldocuments number output field totaldocuments events array output field events country string output field country userriskscore string score value firstname string name of the resource employeetype string type of the resource manageremployeeid string unique identifier masked string output field masked usertimezoneoffset string output field usertimezoneoffset createdate string date value title string output field title employeeid string unique identifier userid string unique identifier lastname string name of the resource division string output field division tenantid string unique identifier usercriticality string output field usercriticality managerlastname string name of the resource workemail string output field workemail tenantname string name of the resource location string output field location fullname string name of the resource department string output field department example \[ { "status code" 200, "response headers" { "date" "thu, 25 jan 2024 00 29 53 gmt", "content type" "text/plain", "transfer encoding" "chunked", "connection" "keep alive", "strict transport security" "max age=31536000 ; includesubdomains", "cache control" "private, no store, no cache, must revalidate", "x frame options" "deny", "pragma" "no cache", "x xss protection" "1 ;mode=block", "x content type options" "nosniff", "content security policy" "frame ancestors 'self' securonix net; default src 'self' securonix net; obje " }, "reason" "", "json body" { "totaldocuments" 1000, "events" \[], "error" false, "available" false, "queryid" "spotterwebservicea98ad391 ed14 4ec1 ae7a 4295fff2fa23", "applicationtz" "cst6cdt", "inputparams" {}, "index" "users", "nextcursormarker" "aoepml5+mta3nday" } } ] retrieve list of incidents retrieve list of incidents endpoint url snypr/ws/incident/get method get input argument name type required description type string required enter the type as list from string required enter the start time (epoch) in ms to string required enter the end time in ms offset number optional this parameter is optional and used for pagination status string optional enter the status of the incident this parameter is optional rangetype string required type of the resource allowchildcases boolean optional enter true to receive the list of child cases associated with a parent case in the response otherwise, enter false this parameter is optional max number optional enter the maximum number of records the api will display this is a numeral value and it is optional sort string optional parameter for retrieve list of incidents order string optional parameter for retrieve list of incidents tenantname string optional the name of the tenant from where the incidents will be retrieved headers object required http headers for the request accept string required parameter for retrieve list of incidents output parameter type description status code number http status code of the response reason string response reason phrase status string status value result object result of the operation data object response data totalincidents number unique identifier incidentitems array unique identifier violatortext string output field violatortext lastupdatedate number date value violatorid string unique identifier incidenttype string unique identifier incidentid string unique identifier incidentstatus string unique identifier riskscore number score value assigneduser string output field assigneduser priority string output field priority reason array response reason phrase violatorsubtext string output field violatorsubtext entity string output field entity workflowname string name of the resource url string url endpoint for the request iswhitelisted boolean output field iswhitelisted watchlisted boolean output field watchlisted tenantinfo object output field tenantinfo tenantid number unique identifier example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "mon, 19 feb 2023 20 37 23 gmt" }, "reason" "ok", "json body" { "status" "ok", "result" {} } } ] response headers header description example cache control directives for caching mechanisms private, no store, no cache, must revalidate connection http response header connection keep alive content length the length of the response body in bytes 140 content security policy http response header content security policy frame ancestors 'self' securonix net; default src 'self' securonix net; object src 'self' securonix net data blob ; script src 'unsafe inline' 'unsafe eval' 'self' securonix net https //edge fullstory com https //edge fullstory com https //rs fullstory com https //rs fullstory com http //iph zoominsoftware io/widget js http //iph zoominsoftware io/widget js data blob ; style src 'self' securonix net https //fonts googleapis com https //fonts googleapis com 'unsafe inline'; font src 'self' securonix net https //fonts gstatic com https //fonts gstatic com 'unsafe inline'; connect src 'self' securonix net https //edge fullstory com https //edge fullstory com https //rs fullstory com https //rs fullstory com https //securonix be prod zoominsoftware io https //securonix be prod zoominsoftware io http //documentation be securonix com http //documentation be securonix com wss\ //saaspoc5t16expo securonix net 443 data blob ; img src 'self' securonix net https //rs fullstory com https //rs fullstory com data https ; child src 'self' securonix net blob ; content type the media type of the resource application/json date the date and time at which the message was originated thu, 25 jan 2024 00 34 04 gmt pragma http response header pragma no cache set cookie http response header set cookie jsessionid=610ace2e3babf8b2a161b50770a84799; path=/snypr; secure; httponly strict transport security http response header strict transport security max age=31536000 ; includesubdomains transfer encoding http response header transfer encoding chunked x content type options http response header x content type options nosniff x frame options http response header x frame options deny x xss protection http response header x xss protection 1 ;mode=block notes api documentation https //documentation securonix com/bundle/securonix cloud user guide/page/content/rest api categories htm